Search K
Appearance
Appearance
Dovecot's event support includes the ability to narrow down which events are processed by filtering them based on the administrator-supplied predicate.
Individual events can be identified either by their name or source code location. The source location of course can change between Dovecot versions, so it should be avoided.
Regardless of the syntax used, matching is performed the same way:
Event names are compared using a case-sensitive wildcard match. The wildcards supported are ?
and *
.
\
character, e.g. \*
.Event location is compared in two parts: the file name is compared case-sensitively, and the line number is compared as an integer. For a match to occur, the filename must match and the line number must either match or be unspecified.
Event categories are compared using a "has a" relationship. A category in the filter must be present in the event for a match to occur. Any other categories on the event do not influence the match.
Event fields are compared using a case-insensitive wildcard match. The wildcards supported are ?
and *
.
The unified event filtering language is a SQL-like boolean expression that supports the AND
, OR
, and NOT
boolean operators, the =
, <
. >
, <=
, and >=
comparison operators, and parentheses to clarify evaluation order.
The key-value comparisons are of the form: <key> <operator> <value>
Where the key is one of:
event
category
source_location
The operator is one of:
=
>
<
>=
<=
And the value is either:
The value may contain wildcards if the comparison operator is =
.
The value comparison is case-insensitive, but the key is case-sensitive.
There are some limitations on which operators work with what field types:
string: Only the =
operator is supported.
ip: Only the =
operator is supported.
2001::1
matches 2001:0:0:0:0:0:0:1
.127.0.0.0/8
matches 127.4.3.2
.2001::1*
will match the IPs 2001::1
and 2001::1234
. However, 2001:0:0:0:0:0:0:1*
will not match either of them."fe80::1%lo"
won't match against "fe80::1%eth0"
. Note that the %
character needs to be inside a quoted string or event filter parsing fails.number: All operators are supported.
40*
will match numbers 40
and 401
.timestamp: No operators are supported.
a list of strings: Only the =
operator is supported. It returns true if the key is one of the values in the list. If the value is an empty string, it returns true if the list is empty.
Event fields have specific types that constrain the possible values they can be filtered by. For example, net_out_bytes
and message_size
are numeric and can only be matched against numeric values. Previously type mismatches were silently ignored, beginning with this version each type mismatch and unsupported operation generate a respective warning.
Sizes can be expressed using the unit values B
- which represents single byte values - as well as KB
, MB
, GB
and TB
which are all powers of 1024. If no unit is specified B
is used by default. All size units are case-insensitive.
Times can be specified with the units milliseconds
(abbrev. msecs
), seconds
(abbrev. secs
), minutes
(abbrev. mins
), days
, and weeks
.
For example, to match events with the event name abc
, one would use one of the following expressions. Note that white space is not significant between tokens, and therefore the following are all equivalent:
event=abc
event="abc"
event = abc
event = "abc"
A more complicated example:
event=abc OR (event=def AND (category=imap OR category=lmtp) AND \
NOT category=debug AND NOT (net_in_bytes<1024 OR net_out_bytes<1024))
A complicated example using size matching:
(category=debug AND NOT (net_in_bytes<1KB OR net_out_bytes<1KB)) OR \
(event=abc AND (message_size>1gb and message_size<1tB)) OR \
(event=def AND (duration<1mins))
Events can be filtered inside the metric
blocks (see Statistics) based on the event name, source location, the categories present, and field values.
The filter
metric key is set to the desired common filter language expression. For example:
metric example_http_metric {
filter = event=http_request_finished AND \
source_location=http-client.c:123 AND category=storage AND \
category=imap AND user=testuser* AND status_code=200
}
Settings such as log_debug
use the common filtering language. For example:
log_debug = (event=http_request_finished AND category=imap) OR \
(event=imap_command_finished AND user=testuser)